Supply Chain Attacks
If you suddenly feel like every time you turn around, someone’s supply chain is being attacked, well, you’re not alone, and you’re not wrong. According to various reports from 2021 and so far in 2022, global supply chains bore the brunt of Ransomware attacks in 2021 and will continue for some time into the future.
Why supply chains you may ask? Wouldn’t something like critical infrastructure be of more interest, maybe even a government? The reason it appears, is supply chains are heavily linked to the number 1 Industry targeted - Manufacturing. With technology growing more detailed and industry wanting visibility over its OT, as well as resources being downsized in some cases, the gap between OT and IT has shrunk, if not disappeared completely. Thus attacks once thought impossible, are proving not only possible, but, for the cybercriminal and extortionist, very profitable. And, this is extortion, just on the technological side. Even if espionage and sabotage are involved with it, it usually starts off with extortion.
Second, these tend to be more profitable than others and seem to attract less law enforcement attention. Also noted in several reports, whether multiple pages, or a simple comment on website, there is a lack or reporting of some of these supply chain attacks for fear of damaging the victim companies’ reputation, or that of the company it is suppling and losing contracts.
Reports from ENISA, ARGON, IBM X Force, CISA and others show that attacks during 2021 rose, some estimate by as much as 300-400%. All also appear to agree that gaining access to networks via phishing, stolen Remote Desktop Protocols (RDP) credentials or brute force, and exploiting vulnerabilities are the main attack vectors. Vulnerability management and subsequent lack of patching, combined with lack of cybersecurity resources seem to be one of the main reasons for this. Although new vulnerabilities like the Log4j attack have been used, some older attacks have worked as well. REvil seems to be the primary ‘Ransomware of choice’ for attackers used in between 31 – 50% of attacks with all others making up varing percentage of that remaining.
With recent activities in the Ukraine, attacks in the coming future and during the conflict will only rise.
What can be done?
As most reports and experts suggest, security awareness training, vulnerability management, patching, testing and monitoring would go a long way to help reduce the number of successful attacks. Yes things like Log4j are new, previously unknown, but others are older and still being reported during breaches.
Companies have devices and systems not patched or life-cycled for a variety of reasons. Legacy apps, end of life software, interoperability with older OT or even IT devices, or likely the most common, just plain lack of funds to name a few. The old term “If it ain’t broke, don’t fix it” does not apply to Cybersecurity in the same manner.
With the cost of an average cybersecurity breach being around $4.24 Million USD, (IBM/Ponemon report 2021) can cost to carry out some of these changes still be deemed to be too much? Remember, this is the cost to the Companies that survive a data breach.
Some common solutions to help reduce potential of Supply chain attacks:
Ask suppliers if their company is ISO, NIST or similarly Certified
Ask suppliers if they have a Security and Phishing awareness program in effect
Ask suppliers if they have a Vulnerability Management
Are suppliers monitored for Security events such as:
Intrusions
Malware, Ransomware, Virus
DDoS attacks, etc
Do suppliers have Vulnerability Scans or Penetration tests of their infrastructure, software’s, and web presence regularly conducted
Do suppliers have RED/BLUE teaming exercises or Tabletop Exercises of their Security teams
This list is not a complete solution to all problems but shows some of the things that should be considered with suppliers.
This was just a short article to get your creative Cybersecurity mind flowing.